Digital forensics exam of servers seized in March point toward Russian hackers

Microsoft investigators uncovered a cache of more than 400,000 email addresses on one hard drive it seized in March when it led an organized takedown of the Rustock botnet, according to court documents.

In a status report submitted Monday to a federal judge, Microsoft spelled out the results of its ongoing investigation into the hardware obtained by the U.S. Marshals Service and other law enforcement agencies.

The takedown of Rustock -- a huge botnet responsible for sending as many as 30 billion spam messages daily -- was orchestrated by Microsoft , and backed by warrants that let authorities in the U.S. and elsewhere seize the hackers' command-and-control (C&C) servers.

"Additional evidence of the system's role in spam-dissemination was also uncovered, including custom-written software relating to assembly of spam emails and text files containing thousands of email addresses and username/password combinations," Microsoft told U.S. District Court Judge James Robart in the May 23 filing. "One text file alone contained over 427,000 email addresses."

Along with the email addresses, Microsoft's forensics experts also uncovered evidence that the cyber criminals used stolen credit cards to purchase hosting and email services.

Microsoft traced payments for the hosting of some of Rustock's C&C servers to a specific Webmoney account, and after asking the Russian online payment service for help, identified the owner of that account as one Vladimir Alexandrovich Shergin of Khimki, a city 14 miles northwest of Moscow.

The status report cautioned that Shergin might not be the actual purchaser of Rustock's C&C hosting services.

"Microsoft is continuing its investigation to determine whether the name and contact information are authentic, whether this is a stolen identity and/or whether this person is associated with the events in this action," the company said.

Rustock's C&C servers were taken offline in mid-March. Microsoft announced its part in the takedown May 17, just hours after security experts noticed that the botnet had gone dark .

Other tidbits gleaned from the seized computers pointed toward Russian hackers, said Microsoft.

Eighteen of the 20 drives obtained under the court order had been used as Tor nodes to provide the attackers with anonymous access to both the Internet as a whole, and to the hijacked Windows PCs that made up the Rustock botnet.

Tor relies on routing Internet traffic through a network machines maintained by volunteers in numerous countries, and is used not only by activists in nations where governments monitor or filter Web communication, but also by hackers to stymie detection.

The Rustock takedown is not the only one Microsoft has recently led: Last month, the company headed the takedown of Coreflood . As part of that anti-botnet action, the U.S. Department of Justice and the Federal Bureau of Investigation (FBI) were given permission to further disrupt the botnet by throwing a "kill switch" that disabled the Trojan on already-infected PCs.